Repeat Offenders: Lessons From The Energy Sector

Lightning may not strike the same place twice, but cyber attackers tend to go with what they know works—which makes it all the more dangerous when organizations leave proven vulnerabilities untouched.

Lightning may not strike the same place twice, but cyber attackers tend to go with what they know works—which makes it all the more dangerous when organizations leave proven vulnerabilities untouched.

In the case of the U.S. Department of Energy, cybersecurity practices remain troublingly stagnant. The agency may have the resources to patch holes in their infrastructure, but year after year, officials have hesitated to implement policies to address repeat incidents, according to the DoE inspector general.

A review conducted early this year by auditors covered roughly 1,850 workstations and 28 locations, including facilities operated by the National Nuclear Security Administration. Of those, 11 different facilities were found to be running unsupported software on their servers, while nine others had neglected to install critical security patches.

An inspection of one facility revealed over 10,500 high-risk vulnerabilities that remained unpatched, most concerning “sensitive” information. The auditors’ report addressed more than half of the workstations missing security patches that had been issued at least 30 days before the investigation, which is a violation of federal cybersecurity policy.

When Push Comes to Shove…

In 2018, an audit of the DoE concluded with 25 recommendations to improve cybersecurity. Last year, the DoE addressed 21 of them, but failed to keep up with the dozens of new vulnerabilities that cropped up over the course of 2019.

Without the time to develop and implement federal cybersecurity policies, the DoE’s cybersecurity condition suffered. Other facilities saw policies and procedures that had been instilled, but never evaluated for effectiveness, according to the inspector general.

Security patches can seem typical and even monotonous, but in reality, they’re a key aspect of good vulnerability management practices. Applications and other facility-wide computer programs will benefit from up-to-date security software.

On the other hand, neglecting to install the latest security patches can result in vulnerabilities that have the potential to expose applications or even entire servers to malicious intent. Following the latest federal security mandates will be an important step for the DoE in the coming months.

… Don’t Get Left Behind

Although adhering to organization-wide security protocols is important, taking the initiative to implement your own best security practices will set you above and beyond.

BAI Security’s IT Security Assessment anticipates vulnerabilities on the horizon with fully comprehensive, non-threatening phone and email phishing scenarios, as well as enhanced tactics and other key services:

  • Vulnerability and Penetration Testing
  • Extensive Firewall Evaluation
  • Social Engineering Evaluation
  • Antivirus Best Practices Evaluation
  • Network Security Best Practices Evaluation
  • Remote Location (Branch) Evaluation
  • Remote Access Evaluation
  • Telco-Testing/War-Dialing Evaluation
  • Wireless Security Evaluation

For the future of your organization, it’s always worth getting ahead. Contact us today to learn more.